This exploit uses the Cable Haunt vulnerability to pop a shell from an external network for the Technicolor TC7230 (STEB.01.25*) cable modem. Firmware version STEB.01.3G or newer should be secure against Cable Haunt, and has been made available by Technicolor. A similar, but only locally hostable, exploit exists for Sagemcom F@st 3890.
A list of known vulnerable modems can be found on https://cablehaunt.com/#faq-am-i-affected.
There are two ways of exploiting the TC7230 with this repository.
This exploit uses the same principle as the Sagemcom F@st 3890 exploit.
The biggest difference is that the attack webserver can be hosted externally.
The exploit.py serves a website, that when visited by any computer on a local network with the modem, sends a malicious WebSocket request to the cable modem.
The request overflows the return address and accompanying registers, in the Spectrum Analyzer of the cable modem, and uses a ROP-chain to start a reverse shell to an external IP.
The ROP-chain is constructed and commented in static/exploitTechnicolor.js
, where the external IP address connected to, can be changed on line 100.
Note that since all commands are sent as javascript text frames, the IP address have to be able to be constructed in as UTF8 characters. More details can be found in the Cable Haunt technical report or here, and can be tested via the utf8TestScript.py
.
The exploit.py server then sends the exploit.raw file over this TCP connection which will then be executed by the modem.
The exploit.raw file is reverseshell.c compiled to MIPS architecture (see below how).
Reverseshell.c is a shell written explicitly for this modem. The shell listens for commands to be run in the eCos shell on the cable modem and redirect STDOUT to the TCP connection.
Note: Windows 10 is not currently supported, you must use a Linux based OS
Install pwntools and flask for python3 and run python exploit.py
.
Now go to the IP or domain name where the server is hosted (http://127.0.0.1:8080 if hosted locally) in your browser, to exploit the modem.
Firefox will not work for this, as the WebSocket version used is not compatible.
Now an interactive shell should pop in your terminal running the python script. If you exit the shell, the modem needs to be rebooted to start a new shell.
The second method indirectly attacks the cable modem through its Residential gateway and uses this as another unit on the network. This is the attack registered as CVE-2019-19495. The attack uses DNS Rebind to gain access to the web configuration of the TC7230. Using access to this configuration, it sets up port forwarding for the telnet server running on the linux side of TC7230. From there it sends a Cable Haunt exploit package to gain full control of the Cable Modem.
To run this exploit install the required dependencies for DNS.py. When running the script, it will serve a malicious webserver on port 80 and a DNS server on port 53. Now to simulate owning the domain pwnmymodem.com we change the primary DNS server of the victims machine to the attackers ip. Remember to change the ip in DNS.py accordingly.
Now when the victim enters http://pwnmymodem.com the exploit will trigger after some time (around 2 minutes), as the DNS cache of the victims browser has to be cleared before the exploit will execute.
If you want to compile your own payload you can grab the toolchain from aeolus and run the following command:
/<toolchain Path>/gnutools/mipsisa32-elf/bin/mipsisa32-elf-gcc -O3 -c ./reverseshell.c -o ./reverseshell.o && /<toolchain Path>/toolchains/gnutools/mipsisa32-elf/bin/mipsisa32-elf-objcopy -O binary reverseshell.o exploit.raw
IF you want to know more details on how to extend the exploit to other modems please visit https://github.com/Lyrebirds/sagemcom-fast-3890-exploit/blob/master/README.md#exploiting-other-modems